Following this post a few weeks back ; http://singletrackworld.com/forum/topic/internet-fraud-via-email-questions

Really need some legal advice guys, banks won’t help, the bank where the cash went to has sent us the remainder that was in the account… The grand some of £11.36 !!! But must add, they are “not admitting liability” !!!
Builder has basically buried his head in the sand assuming it’s my issue. The demand for cash and payment detail was from his business email, therefore I feel his negligence on email security. I’m not wanting to upset anyone at this stage but feel after its completed, I will not be paying the final payment. Am I legally safe in doing this ?

One question. Are you the only customer of the builder to have received the fraudulent emails?

I’ve not read all the other thread but I’d be getting someone technical to look at the source of the email.

Was it genuinely not from your builder or from them with wrong bank details? As above, just you affected?

At first glance someone targeted you with knowledge of the situation of you can prove is from builders email account (hacked or fraud employee) then they’re more likely to be liable?

Awful situation to find yourself in.

they must have spied on his email for a while as they knew exactly when to request the money ?

In answer to the questions, I’m the only one… He’s a one man band so has literally one job at a time.
Email came from him on the same email address (uses hotmail) with the fraudulent details. Knew costs and when to ask etc.

Was it genuinely not from your builder or from them with wrong bank details? As above, just you affected?

Seems to be quite a prevalent scam.

http://www.bbc.co.uk/news/business-36086055

What I don’t get is most online email accounts notify you if email forwarding is setup or irregular logins occur. So curious how they do it. Especially as they must be monitoring hundreds/thousands of email accounts to get their specific targets.

That aside, it seems appealing to your bank is literally the only way forward going off that Beeb link.

we have the same issue on a project we are involved with , no answers i’m afraid waiting to see what happens.

If you had prior email correspondance with the builder on the price then it’s possible your machine was the one compromised – something to be clear on prior to any laying-down-the-law with the builder.

I feel for you as it’s a pernicious fraud that could catch anyone out. The banks are having it both ways, as well – happy to advise you to guard against cyber-fraud, that’s 100% your responsibility. But totally remiss in their own security in letting criminals set up bank accounts with false credentials. There’s clearly a significant element of culpability on their behalf, but how you get them to face up to that I have no idea – seems like it would take a group effort from victims of this scam to get some movement there.

Is the factual basis that the email is the builder’s genuine email address but he is the only one telling you the account details are not his? In effect, you fear you have been defrauded because the payee has told you the account details are wrong? How do you know that for sure?

Can you claim on home insurance? I cant see that it is either the banks’ or the builders fault. If someone had made up a fake paper invoice and mailed it to you you wouldn’t claim it was their fault

But, your point is understood and we nearly got taken on a similar thing at work but spotted it in time.

If someone had made up a fake paper invoice and mailed it to you you wouldn’t claim it was their fault

If the email was sent from the builders email account then the OP could reasonably expect the details to be correct, imo (IANAL).

Like if the builder hand delivered an invoice with the wrong details on?

I don’t really understand the question. Are you saying you are going to re-send the downpayment so that he does that work but then not pay him the balance due on completion of the work? It you’re making that decision now, fully intending to let him do the work with no intention of paying him in full, that’s bad faith in my opinion.

There’s no precedent to say that he is liable for the loss of the £9k. You would have no legal basis for withholding the balance at completion and you could expect to be sued by one v peed off builder.

What’s happened is awful and I sympathise. The strict answer is that you should have checked the details with him in person or by phone before paying out such a large sum. It’s easy to say in retrospect of course, there’s very few people who would do that but this sort of thing is very much on the rise.

If it were me I’d try to negotiate with the builder to bring down costs a bit whilst simultaneously continuing to hassle your bank to see if they will make any sort of good faith gesture to help. What you can’t and shouldn’t do is let him do the work with no intention of paying him.

I know this really doesn’t help the OP, so apologies there, but a good tip is to alway send a minimal amount first over BT. Then check via a trusted method, so face to face or on a known number, that the money has come across. Then start sending across £k’s. I usually do this to mitigate my sausage fingers typing in the wrong account number*, but would work here as well.

*I assume there is a good reason why banks don’t have you enter details x2 to remove the risk of putting in the wrong number by accident? Obviously if the number you have is wrong to start with, then it wouldn’t help there, but still….

The law around liability for security breaches is pretty blurry. If the builder was an ecommerce company taking transactions over the web you’d have an argument but I think you’d need to take him to court rather than just create a liability for you where you’d almost certainly lose. One liability doesn’t counteract the other.

A colleague of mine bought a car on ebay and had the same issue. Email from the person asking for a bank transfer, did it, no car, no cash. Email address was genuine but the end result was like you. 7k down the toilet (to be fair, the price was stupidly low, he should have known betteR).

IMO do NOT get him to start the work in bad faith.

I guess it may depend on whether the builder’s account was compromised, and if so, was it their fault? In that case, they could possibly be liable for the loss. If not, I’d say you are out of luck. It is a worrying fraud and not one I’d come across before seeing your original post. I’ve paid several bills which were sent via email in the same way, never thought they could be compromised. In fact I always assumes this was the safest route as I could cut and paste the account number and not risk mis-typing it.

That said, the banking system stinks that there is no recourse in the case of mistaken payments, let alone fraudulently claimed ones. What about all the requirements for proof of identity when opening accounts, and money laundering regulations?

I know this really doesn’t help the OP, so apologies there, but a good tip is to alway send a minimal amount first over BT. Then check via a trusted method, so face to face or on a known number, that the money has come across. Then start sending across £k’s. I usually do this to mitigate my sausage fingers typing in the wrong account number*, but would work here as well.

This is an excellent piece of advice.

If you had prior email correspondance with the builder on the price then it’s possible your machine was the one compromised – something to be clear on prior to any laying-down-the-law with the builder.

This +1

The ‘from’ portion of the e-mail is about as secure as the ‘from’ line of a formal letter, you could write anything up there, although there should still be an IP number (like the postmark on the envelope).

A less nefarious example is every time you fill out a “contact us” form on a website, the recipient at the other end get’s an e-mail ‘from’ whatever address you input. No need to compromise Hotmail or his PC’s security. Although someone somewhere has slipped up as the fraudster presumably have a copy of the original quote/invoice, they could even have got it the old fashioned way by going through your bins.

Funnily enough, his garage was broken into a few weeks earlier…builder didn’t give much away but did slip that there was “paperwork and stuff” in there.

sorry to hear OP nothing useful to add, but hope it works out for you.

It is very easy to make an email look like it comes from a different address.

I don’t see how the bank could be liable – they paid the money across exactly according to your instructions, and £9k is below the limit for money laundering checks to kick in IIRC.

If the Police decide there is a fraud case to pursue you may have some luck there, and the bank will have to pass along any details they have to the Police.

Expensive lesson !

Thanks Hels above. The reason I’d question the bank’s integrity is that they ask for payee details when doing a bank transfer… They either ignore this (in which case why ask for it in the first place? ) or if they did use it (and the name matched), the account holder has obviously set up this under false pretences.

If the email was sent from the builders email account then the OP could reasonably expect the details to be correct, imo (IANAL).

It’s a good point but I’m not sure an email by itself would be considered a ‘signature’ if you like, i.e. Just sending an email wouldn’t normally be enough to ‘sign’ a contract, you would need some sort of electronic signature as well. It tends to suggest that having access to an email account might not be considered any more proof than being able to reproduce headed paper, assuming of course that it did come from the actual email account and wasn’t spoofed

At work we now verify all accounts by a second means, e.g. Phone, but I guess we are not really ready to have to do that at home yet 🙁

I do feel for the op though. In the end it is theft so I would be getting a police report and seeing if I can claim on insurance somewhere

Banks are **** useless. Our company wrote out a check to peveril decorators for a 5 figure some a few moths ago. About 2 weeks later they contacted us chasing payment. What payment as you’ve had a check and its been cashed we say. Oh no we haven’t they say. The check actually went further down the road to Derbyshire decorators who actually managed to bank and get the check cleared. It took over 6 weeks to sort even though they knew who had cashed it…

If the builders email account has been hacked then it is his issue and he should be able to claim on his business insurance, or should have business insurance to cover this. If the email has not actually come from his account and just looks like it has then it is your responsibility.

Let me speak to my wife about it as she deals with cyber insurance. She might have some legal contacts that could help.

http://www.theguardian.com/money/2016/mar/04/fraud-scam-email-barclays-lloyds

I’d be looking into a small claims case against the bank that received your funds, arguing that lack of proper identity checks when opening the account, or lack of checks when transferring the number, allowed the scam to work.
It’ll cost you a relatively small amount of money to start proceedings.
They’ll try and argue all sorts of stuff before court though, so be prepared to hold your nerve.

I wouldn’t withhold money from the builder.

Response back from my wife who specialises in cyber insurance for businesses. I have asked her if she knows of any legal firms that might be able to help. For £9K its probably worth it.

“Please caveat this response with the fact it is NOT legal advice. On the limited information below it is the builder who has the issue.

If the builder’s system and email account was hacked then this is an issue for the builder. The client has paid the bill based on what he has seen as a legitimate email from the builder. A phishing type email is slightly different in that it could be made to look like it’s from the builder but with some minor defects, i.e. the actual email address is completely different. I don’t know where this guy is based but it is certainly worth contacting the cyber crime unit but really it’s for the builder to do as he is the one that has suffered the crime. Try calling Action Fraud, the may be able to give some advice: http://www.actionfraud.police.uk/

In fairness to the bank, it is not their fault and in all honesty the banks often end up picking up the bill for issues that are out of their control.

I would suggest that this chap is entirely within his rights not to forward this £9k again. The builder would either need to prove that the email has not come from his email address (which it sounds like it has) or it’s an issue he needs to deal with himself. The builder should check his own insurances to see if there is an element of cyber cover included, some insurers are starting to add a small amount in to other products. Bit of a long shot but he might have something.”

The message header from the original email should be enough to establish where the email originated from and even whether it was sent from the builders’ compromised PC (which would place more onus on the builder) The builder may need his ISP to help do this, who may in turn require a crime number.

The bank is not a party to the fraud but it does have a fraudster as a customer and has a legal duty to be all over this like a rash, the employees can face prison sentences if the fail to act. However – this is likely to be a stable door / bolted horse situation.

As for liability – I am sorry to say that you have been defrauded and that is no fault of the builder (on the assumption proving he is at fault is impossible to prove).

When a builder is coming to the house to do the work anyway is the simplest thing not to ask for a paper invoice and hand him a cheque?

A report to Action Fraud will get a crime number but I wouldn’t hold my breath expecting much else. Much fraud is logged, not investigated.

My understanding is that Action Fraud logs frauds reported to it and where there is scope for enquiry sends packages to local forces to progress. Which is where it meets priorities and resources and may just be shelved. The HMIC report on Action Fraud makes depressing reading. For example.

the National Police Co-ordinator for Economic Crime wrote to every chief constable in March 2015 highlighting best practice. In his letter, he stressed that the entire process needed to be “owned by an accountable chief officer”. He asked that every force notify him of its nominated chief officer.

9.25. By August 2015, he had received only 14 responses out of a possible 43.

We understand other forces impose arbitrary limits on the number of bureau referrals which they will investigate.

9.62. In one force, that limit has been set at 20 percent

.https://www.justiceinspectorates.gov.uk/hmic/our-work/digital-crime-and-policing/real-lives-real-crimes-a-study-of-digital-crime-and-policing/chapter-9-how-do-forces-action-fraud-and-the-national-fraud-intelligence-bureau-work-together/